blog.easydns.orghttp://blog.easydns.org
Power & Freedom ™Thu, 16 Jul 2015 03:01:47 +0000en-UShourly1New GTLDs are great for pump-and-dumps, phishes and more….http://blog.easydns.org/2015/07/15/new-gtlds-great-for-pump-and-dumps-phishes-and-more/
http://blog.easydns.org/2015/07/15/new-gtlds-great-for-pump-and-dumps-phishes-and-more/#respondWed, 15 Jul 2015 18:34:31 +0000http://blog.easydns.org/?p=4447Yesterday, egregious financial truth-tellers (and easyDNS client) ZeroHedge broke the news that parties unknown engineered what looks to be a textbook "pump-and-dump" on Twitter's stock by putting up a fake "Bloomberg Financial News" site on the domain bloomberg.market and proceeded to run a story on it about Twitter being acquired. The story spread and shares... [Read More]

]]>Yesterday, egregious financial truth-tellers (and easyDNS client) ZeroHedgebroke the news that parties unknown engineered what looks to be a textbook "pump-and-dump" on Twitter's stock by putting up a fake "Bloomberg Financial News" site on the domain bloomberg.market and proceeded to run a story on it about Twitter being acquired.

The story spread and shares of Twitter stock promptly spiked on volume, Twitter finishing the day on nearly double the average daily volume.

The reason it can be safely assumed that this was a pretty ingenious pump-and-dump was the purchase, as Zerohedge revealsthe day before of quite a few near-the-money call options on Twitter stock with a strike price of $37. Those calls went solidly into the money on the circulation of the fake story. (You know, sort of like all those put options some lucky parties unknown bought on American Airlines just before 9/11)

As news of the ruse spread (theDomains reported on it as did many other domaining sites), the price reverted back to it's pre-pump value and later in the day the .market registry operator Rightside took down the domain and released a statement that the action was in accordance with their standard operating procedures.

This case underscores one of the biggest headaches about the new gTLDs is that the sudden, dramatic expansion of the root namespace (now over 1,000 top level domains and counting) make it effectively impossible to "defend one's marks" in all available TLDs.

TLDs such as .email, .company, .support are attactive phishing targets. Remember that when you get the next "reset your apple ID" email from "apple.support".

It's a double edged sword in many respects: even if a company wanted to move some of their functionality out to an aptly matching TLD, say perhaps, http://easydns.support there are more public incidents of this type of thing being a phish or a hoax than there are legitimate rebrands or function shifts to new TLD URLs – companies wanting to do this face an uphill battle.

The Losers:

Legitimate Companies: that really do want to rebrand or use new TLDs will have to shout louder and spend more on marketing to out muscle the ever increasing background hum of phishes, scams and frauds passing off on new TLDs.

Target Companies: who will face ever increasing phishing attacks. As Canadian antispam legend (who now works for Apple's abuse department) Neil Schwartzman told me after I suggested Apple re-register a new TLD phishing domain we had just deleted:

Would that we could re-register all the cousins. We see literally hundreds/day.

It becomes effectively impossible to defend one's mark's via defensive registrations (something I said a long time ago which new TLD players are beginning to understand)

So what happens now?

The Winners

Criminals: When you combine all these new perfectly named labels for spearphishing your targets and combine it with ICANN mandated policies that effectively make it mandatory to be vulnerable to them, a new golden age has begun.

DANE: There's going to have to be a way to authenticate the "reality" of any given website other than looking at the domain name and guessing that it's legit. This goes beyond DNSSEC signed zones – which basically guarantees that when you ask for a DNS response for "example.com" you really get a response from "example.com"'s nameservers and that they're real responses. Somebody could register example.support and email all of example.com's customers and simply DNSSEC sign example.support as well.

No, you need something else, something you can hook into the website your customers are used to visiting and somehow asserting that "it's the real site". SSL typically fills this role, but SSL costs money, even the cheap certs, which in a 1000+ channel TLD-verse makes it "expensive" by definition.

which still needs to be filled in, where example.com will (see above: somehow) "assert" which associated domains in other TLDs are legit and which ones aren't. Almost like a Sender Policy Framework (SPF) (which specifies what hostnames, domains and IP blocks are permitted to originate email for a given domain) for "related domains" – like:

example.com asserts that:

example.ca is the Canadian portal for Example Co

example.support is a real support site for Example Co.

example.xxx is a blocking website under .xxx

example.wtf is reserved for Example Co's April Fool's japes

etc.

Either this already exists and I don't know about it, or it should exist and the absolute clusterfsck of grief these new TLDs are already causing will make it happen.

]]>http://blog.easydns.org/2015/07/15/new-gtlds-great-for-pump-and-dumps-phishes-and-more/feed/0Phishing attacks using SMS text messageshttp://blog.easydns.org/2015/07/11/phishing-attacks-using-sms-text-messages/
http://blog.easydns.org/2015/07/11/phishing-attacks-using-sms-text-messages/#respondSat, 11 Jul 2015 16:06:36 +0000http://blog.easydns.org/?p=4443Be on your guard, the phishing attacks are coming from every vector nowadays. The other night I received this SMS on my cell phone at about 3:30am. Obviously a fake login site, in this case we can tell from looking at the domain name itself that it was registered for the explicit purpose of setting... [Read More]

]]> Be on your guard, the phishing attacks are coming from every vector nowadays. The other night I received this SMS on my cell phone at about 3:30am.

Obviously a fake login site, in this case we can tell from looking at the domain name itself that it was registered for the explicit purpose of setting up the phishing site (target, TD Bank) – as opposed to a legitimate site being compromised and having the phish kit installed on it.

I just found it interesting to receive a multi-pronged phishing attempt – the hook is cast via SMS to your cell phone, hoping you'll login via the website. Perhaps in light of the recent release of Hacking Team's stash of 0-day exploits, and given that the phishing hook was aimed at mobile devices, perhaps this was an attempt to compromise vulnerable Android and Windoze devices as well.

]]>http://blog.easydns.org/2015/07/11/phishing-attacks-using-sms-text-messages/feed/0Confessions of an ex-opponent of Whois Privacyhttp://blog.easydns.org/2015/07/02/confessions-of-an-ex-opponent-of-whois-privacy/
http://blog.easydns.org/2015/07/02/confessions-of-an-ex-opponent-of-whois-privacy/#commentsFri, 03 Jul 2015 03:18:52 +0000http://blog.easydns.org/?p=4428The following is the easyDNS response to ICANN' public comment period on GNSO Privacy & Proxy Services Accreditation Issues Working Group Initial Report. The public comment period is open until July 7, 2015. We strongly urge you to make your voice known by signing the petition over at Save Domain Privacy. I submit these comments... [Read More]

I submit these comments as a CEO of an ICANN accredited registrar, a former director to CIRA and a lifelong anti spam contributor with an unblemished record of running a managed DNS provider that maintains zero tolerance for net abuse or cybercrime and as someone who maintains a healthy working relationship with the units of our local and federal Law Enforcement Agencies that deal with cybercrime.

In the past easyDNS was opposed to Whois Privacy (a.k.a "Domain Privacy"). We did not offer it and we strongly cautioned our customers against using it.

Our rationale was twofold:

#1) We felt that those connecting to the internet to originate traffic and consume system resources of external parties (i.e. people sending email) had an obligation and a responsibility to be identifiable. For example, we felt (and still do) that nobody has an obligation to accept email from a domain whose contact details are anonymized. This belief still does not conflict with our advocacy of Whois Privacy.

#2) There was agency risk to the Registrants' themselves, as once they enabled whois privacy on their domains the "official" owner (or rights holder) to their names became the privacy provider and not the actual registrant. (This fear was bourne out as many Registrants did in fact lose their names in the failure of RegisterFly).

We eventually relented to customer pressure and implemented Whois Privacy and have since completely reversed our opinions on the efficacy of employing it and necessity of making it an option. (For the record, our opinion was not swayed by the additional revenues we garner from offering it. The vast majority of our Registrants making use of Whois Privacy get it at no cost).

It is important to note that once we did change directions and offer Whois Privacy, we found that doing so had absolutely no material effect on occurrences of net abuse, known cases of cybercrime or any other form of civil misdeed such as copyright violations or intellectual property infringement.

We think we know why this is, they are the same reasons the policy shift being considered will have zero effect toward their intended outcome and why the second order effects will be primarily negative and disruptive to those who are not guilty of any malfeasance (we refer to these innocent bystanders as "rule followers").

As a result of these experiences, we believe that absent a breach of service terms such as net abuse, the only basis for disclosing underlying Registrant data, especially to copyright and trademark complainants should be subject to:

We will explain our reasoning below. It is based on real world experiences of nearly 20 years in the domain and managed DNS business:

#1 Many Registrants Don't Even Know That the Whois Exists or What's In It.

Understanding that a consequence of simply registering a domain name results in one's personal contact details being published in a world viewable, digital database is actually quite limited. People who earn their livelihood online are possibly cognizant of it, although even within this cutting edge technologically literate segment a significant number of participants are not. Your average bricklayer, baker or candlestick maker is for the most part oblivious to the existence of Whois.

What they do know, is that when they finally get motivated to "join the digital age" and register their first domain name, and after dutifully filling out the online form, which is like any other online form they fill out, within days, or even minutes they are receiving unwanted spam, phone calls or junk faxes because their personal details have been harvested from the Whois almost immediately.

Blame, or at the very least suspicion is then directed toward the Registrar ("You sold my personal data!")

This reason in itself is enough motivation for Registrars to create privacy mechanisms to safeguard Registrants against these unwanted intrusions.

#2 Criminals Lie.

The ostensible justification for the types of changes being considered to Whois Privacy requirements are to make it easier for primarily rights holders and law enforcement agencies (LEA) to track down infringers and bad actors.

But the fact is that actual criminals do not use their true, actual contact data in domain registrations. In fact in our experience whenever we takedown a known infringing or cybercrime website, whether the domain registrations details are privacy masked or not, they always supply bogus Registrant data (often culled from a previous victim).

Similar to our objections against the highly destructive and impotent Whois Accuracy Program, implementing the proposed changes to Whois Privacy requirements will not get anybody any closer to apprehending a single cyber-criminal or preventing a single cybercrime, but will only succeed in making it easier for rule followers with legitimate requirements for Whois Privacy (i.e. whistleblowers, political dissidents, victims of abuse, et al) to have their privacy violated.

#3 Open To Abuse

We have ample first-hand experience with complainants abusing allegations of trademark or copyright infringement in an attempt to do one or more of the following:

cause a website / domain takedown without due process.

force a disclosure of Registrant data with no legal basis.

suppress websites or specific pages from search engine results.

If Section D of Annex E is adopted as proposed we foresee this as an ideal attack vector to compel Registrant data disclosure without being tested by due process.

Third Time's a A Charm?

Any changes in Whois Privacy requirements must be considered against the backdrop of previous Whois reform initiatives, because at the end of the day, it's the end-user Registrants who have to adjust to functioning under the combined effect of all of these new policy modifications.

ICANN has thus far implemented two policies around Whois reform which should be considered failures in that they:

do not accomplish their stated goals,

only succeed in penalizing "rule followers"

create new unintended attack vectors against legitimate Registrants.

The first was the Whois Data Reminder Policy (WDRP) which on it's own was a annoyance and created a new spearphishing vector but the second-order effects were to induce a type of "Whois Notification Blindness" in Registrants by inculcating them with a belief that these notices are harmless annoyances which can be ignored (or worse, filtered away).

Next came the Whois Accuracy Program (WAP) which has done nothing whatsoever to prevent cybercrime but has left a trail of destruction across the internet as legitimate production websites (some of them providing internet infrastructure functionality) inexplicably go offline for the flimsiest of reasons.

What makes WAP so pernicious is that to the average Registrant there is no discernible difference between a WDRP notice (which can be safely ignored) and a WAP notice (which can't!)

After a one-two punch of ineffective policy failures around Whois, the idea now is to take the one remaining aspect of Whois that actually serves a purpose, which is Whois Privacy, that actually accomplishes it's primary goals, that provides an invaluable service to law abiding citizens but makes no real difference to criminals, in other words the last vestige of useful functionality in the current Whois model and we're going to make a new policy that maims it and provides easy mechanisms to game the system and end-run Registrant privacy?

Surely by now ICANN has learned from WDRP and WAP that trying to retrofit accountability processes onto the existing Whois implementation isn't working. We don't need a third policy to ignite yet another round of collateral catastrophes to hammer this lesson home.

Recommendations

Everybody close to this probably concurs that the current Port 43 Whois implementation was never designed for the type of all-reaching global internet we find ourselves in today. Change is certainly needed but it needs to be genuine change, a ground up rewrite of the entire protocol.

Is there an alternative to today’s WHOIS to better serve the global Internet community?

"Instead, the EWG recommends a paradigm shift to a next-generation RDS that collects, validates and discloses gTLD registration data for permissible purposes only.

While basic data would remain publicly available, the rest would be accessible only to accredited requestors who identify themselves, state their purpose, and agree to be held accountable for appropriate use."

These are the groundwork for appropriate guiding principles for the next generation of Whois, of course the devil will be in the details of who has the right to request data and under what circumstances.

We here at easyDNS have spent an inordinate amount of effort over the past years to educate complainants, plaintiffs and even certain law enforcement agencies that there exists in civil society and democracies "due process" and that an allegation has to be proven legally before sanctions can be imposed on people's websites, or before their personal data can be surrendered.

We have two main recommendations for charting the path forward:

1) Any Whois Privacy Policy revisions should be tabled until the entire Whois database is re-engineered as the next generation RDS.

2) That a guiding principle of any future Next Gen Whois / RDS Working Groups should incorporate legal due process and end-user, (that is Registrant) control over their own data records, complete with automated mechanisms to alert Registrants when inquiries are made into their records, what the purpose of those inquiries are and allowing Registrants the ability to withhold disclosure (except in cases of overt net abuse or where a law enforcement agency is pursuing a legitimate investigation subject to a valid warrant).

]]>http://blog.easydns.org/2015/07/02/confessions-of-an-ex-opponent-of-whois-privacy/feed/1easyMail difficultieshttp://blog.easydns.org/2015/06/25/easymail-difficulties/
http://blog.easydns.org/2015/06/25/easymail-difficulties/#respondThu, 25 Jun 2015 18:41:56 +0000http://blog.easydns.org/?p=4424The problem we were having with easyMail has now been resolved, so email delivery and behaviour should be back to normal. We are experiencing some oddities with email delivery since making changes to improve our spam filtering on the new easyMail system. Email is not being lost but there have been delays and spam filtering... [Read More]

]]>The problem we were having with easyMail has now been resolved, so email delivery and behaviour should be back to normal.

We are experiencing some oddities with email delivery since making changes to improve our spam filtering on the new easyMail system. Email is not being lost but there have been delays and spam filtering related messages attached to messages. We are working on this now and expect a resolution shortly.

]]>http://blog.easydns.org/2015/06/21/le-programme-dexactitude-whois-icann-pew/feed/0Andy Lehrer Victorious Against Tim Rourke & Causepimpshttp://blog.easydns.org/2015/06/19/andy-lehrer-victorious-against-tim-rourke-causepimps/
http://blog.easydns.org/2015/06/19/andy-lehrer-victorious-against-tim-rourke-causepimps/#commentsFri, 19 Jun 2015 13:00:05 +0000http://blog.easydns.org/?p=4402A judge has ruled in favour of Andy Lehrer in his suit against Tim Rourke regarding the pages about him on causepimps.ca and has been awarded full damages ($25,000) plus costs. Rourke was a no-show in court and his defence was struck. After some initial confusion as to whether there was actually anything for easyDNS... [Read More]

]]>A judge has ruled in favour of Andy Lehrer in his suit against Tim Rourke regarding the pages about him on causepimps.ca and has been awarded full damages ($25,000) plus costs. Rourke was a no-show in court and his defence was struck.

After some initial confusion as to whether there was actually anything for easyDNS to do (Rourke had already removed the pages that inspired the lawsuit), we have received adequate clarification and in keeping with our Terms of Service and our Settlement with Mr. Lerhrer we have proceeded with a takedown against the causepimps.ca website.

We'd like to clarify something that came up in the course of all of this, with respect to the context of our use of the word "baseless" in this post. We never intended to convey that we felt Lehrer's claim against Rourke was baseless – our position was always that it would be inappropriate for us to decide the matter or to take any summary action without a legal due process, that was all. What we did feel was that adding us to the suit as a co-defendant was baseless and all things considered, turned out to be counter-productive for the plaintiff. (There is also this article by a US law firm who compared the nuances of US vs Canadian defamation laws which seems to agree with us.)

If litigants want to pursue specific customers they will always be better served to leave the ISPs and the vendors out of it, that way they can truly sit where they belong – as impartial observers on the sidelines awaiting a legal decision one way or the other.

By involving vendors and ISPs, litigants are now fighting a war on two fronts; the vendor may have more at stake, may have deeper pockets, may have better legal representation, may bring unintended public visibility or may just be plain crazier and more stubborn than the litigants' original target.

Despite incurring the expense of dealing with this lawsuit instead of summarily throwing our customer under a bus on a (then unproven) allegation, we have no regrets.

]]>http://blog.easydns.org/2015/06/19/andy-lehrer-victorious-against-tim-rourke-causepimps/feed/5easyMail delayshttp://blog.easydns.org/2015/06/17/easymail-delays/
http://blog.easydns.org/2015/06/17/easymail-delays/#respondWed, 17 Jun 2015 17:24:58 +0000http://blog.easydns.org/?p=4398We have isolated an issue which was causing a delay in email delivery in the easyMail system as relating to the greylisting daemon, so we have disabled greylisting until we can get this issue corrected. Email service should be back in place, though there may be a brief delay while the server works through the... [Read More]

]]>We have isolated an issue which was causing a delay in email delivery in the easyMail system as relating to the greylisting daemon, so we have disabled greylisting until we can get this issue corrected. Email service should be back in place, though there may be a brief delay while the server works through the backlog.

]]>http://blog.easydns.org/2015/06/17/easymail-delays/feed/0EasyMAIL migration has mostly completed (UPDATED June 14 8:00 EST)http://blog.easydns.org/2015/06/13/easymail-migration-has-started/
http://blog.easydns.org/2015/06/13/easymail-migration-has-started/#respondSun, 14 Jun 2015 02:33:10 +0000http://blog.easydns.org/?p=4395We've just started migrating our easyMAIL service to the new servers. In the maintenance window, your email will be read only. The process should take about ten hours, and we'll update the blog when it's complete. ETA 8:14 EST: The new system is now live and new messages are being routed. Not all messages have... [Read More]

]]>We've just started migrating our easyMAIL service to the new servers. In the maintenance window, your email will be read only. The process should take about ten hours, and we'll update the blog when it's complete.

ETA 8:14 EST:

The new system is now live and new messages are being routed. Not all messages have been synced just yet, with a small portion of messages delivered yesterday still to be pushed over to the new system. If you are missing mail, please rest assured it should appear some time today.

]]>http://blog.easydns.org/2015/06/13/easymail-migration-has-started/feed/0The ICANN Whois Accuracy Program (WAP) FAQ has been postedhttp://blog.easydns.org/2015/06/12/the-icann-whois-accuracy-program-wap-faq-has-been-posted/
http://blog.easydns.org/2015/06/12/the-icann-whois-accuracy-program-wap-faq-has-been-posted/#respondFri, 12 Jun 2015 16:56:42 +0000http://blog.easydns.org/?p=4391We've posted the mini-FAQ about the ICANN Whois Accuracy Program (WAP) in the knowledge base. It is available here: https://fusion.easydns.com/index.php?/Knowledgebase/Article/View/260/17/the-icann-whois-accuracy-program-wap Further Reading: Unfortunately, We have renewed our ICANN accreditation As Deadly as a DDoS, ICANN Unleashes the WAP

]]>http://blog.easydns.org/2015/06/12/the-icann-whois-accuracy-program-wap-faq-has-been-posted/feed/0Malware email alert from registrar@easydns.comhttp://blog.easydns.org/2015/06/09/malware-email-alert-from-registrareasydns-com/
http://blog.easydns.org/2015/06/09/malware-email-alert-from-registrareasydns-com/#respondTue, 09 Jun 2015 14:28:38 +0000http://blog.easydns.org/?p=4387Looks like a malware email has been going out with the envelope from set to registrar@easydns.com Subject: Invoice The body of the message says simply: Check Invoice#37 The number varies but seems to be two digits, the attached zip file will be named Invoice#(37).zip where the number will match the one in the body of... [Read More]